[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: redhat kerberos PAM

To: heimdal-discuss@sics.se
Subject: Re: redhat kerberos PAM
From: Brian May <bam@snoopy.apana.org.au>
Date: 09 Nov 2000 11:28:18 +1100
In-Reply-To: Joel Kociolek's message of "Mon, 6 Nov 2000 18:51:08 +0100"
References: <4.2.2.20001103180059.00acae50@fritz.bluewave.com><20001106185108.A1332@ola.fr.eu.org>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Capitol Reef)

>>>>> "Joel" == Joel Kociolek <joko@logidee.com> writes:

    Joel> I wouldn't say that I know of a decent one. I'm to much
    Joel> inexperienced with this, and from what I've understood, it
    Joel> could be really "indecent" to use PAM with kerberos. But

I think using PAM is OK for login sessions. eg xdm,text mode console,
etc. That way the user doesn't need to have a Unix-style password.

    Joel> I've managed to make Franck Cusack's PAM module work with
    Joel> heimdal with only a small patch. You can find the module on
    Joel> http://www.fcusack.com/ and my patch on
    Joel> http://ns1.logidee.com/~joko/heimdal/

If I was to package a PAM module for Debian Linux, which one should I
use? Or should I wait until one is included with Heimdal?

    Nicolas> There's a PAM_KRB5 somewhere in the heimdal site.

Where?

    Nicolas> It looks pretty good, except for one serious, easily
    Nicolas> fixable problem: the krb5 password validation function is
    Nicolas> called without a valid prompter function, so the krb5
    Nicolas> library is allowed to believe that the user can be
    Nicolas> prompted via the tty.

    Nicolas> The solution to this problem is simple: add a krb5
    Nicolas> prompter function whose prompter_data is a PAM handle and
    Nicolas> have this prompter convert krb5 prompts to PAM prompts
    Nicolas> and so on.

    Nicolas> That said, this is the ONLY PAM_KRB5 module I have seen
    Nicolas> so far that gets password-aging right, namely by
    Nicolas> attempting to get an initial ticket to the password
    Nicolas> changing service so as to change the user's password and
    Nicolas> then get a TGT for the user.

Is this going to be fixed by the author/maintainer?

    Jacques> I just committed a pam_krb5 port (based on fcusack's
    Jacques> pam_krb5 also) for FreeBSD that can be compiled for
    Jacques> either MIT or Heimdal.  One can look at the patches at
    Jacques> http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/pam_krb5/files
    Jacques> Looking at your patches it looks as if I may have missed
    Jacques> a bit with the password change -- no surprise, I haven't
    Jacques> really tested that, do to the fact that my users don't
    Jacques> appear in /etc/passwd normally.

Or is this the URL here?
-- 
Brian May <bam@snoopy.apana.org.au>

Follow-Ups:
- Re: redhat kerberos PAM
  - From: Brian May <bam@snoopy.apana.org.au>
- Re: redhat kerberos PAM
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>
- Re: redhat kerberos PAM
  - From: Joel Kociolek <joko@logidee.com>

References:
- redhat kerberos PAM
  - From: Alex Stepney <alex.stepney@bluewave.com>
- Re: redhat kerberos PAM
  - From: Joel Kociolek <joko@logidee.com>

Prev by Date: Re: kadmin bug (missing mod_name)
Next by Date: Re: kadmin bug (missing mod_name)
Prev by thread: Re: redhat kerberos PAM
Next by thread: Re: redhat kerberos PAM
Index(es):
- Date
- Thread